Device, System, and Method of Policy Enforcement for Rich Execution Environment

ABSTRACT

Device, system, and method of policy enforcement for rich execution environment. An electronic device includes a Trusted Execution Environment (TEE), a Rich Execution Environment (REE), and a hardware-based secure sub-system which includes a cryptographic engine. The REE includes a cryptographic driver configured to initiate a request for TEE authorization to perform a particular cryptographic operation by the cryptographic engine on a data-item that is stored in a memory region that is accessible by the REE. The TEE includes a policies manager to determine whether the request from the REE is approved or rejected, and if approved, to inject data-items into the secure sub-system to enable performance of the requested cryptographic operation by the cryptographic engine.

FIELD

Some implementations relate to the field of electronic devices.

BACKGROUND

Millions of users utilize electronic devices on a daily basis forvarious purposes. Smartphones, tablets, laptop computers, desktopcomputers, and other electronic devices are utilized for wordprocessing, sending and receiving electronic mail (email), browsing theInternet, watching videos, capturing images, video conferencing,performing online purchases and transactions, and performing variousother activities.

An electronic device typically includes a processor able to executecode, a memory unit able to store code and data, an input unit, anoutput unit, and other components.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 a schematic illustration of a system, in accordance with someimplementations.

DETAILED DESCRIPTION

In accordance with some implementations, an electronic device or systemmay comprise a Trusted Execution Environment (TEE), or a TEE OperatingSystem (TEE OS), which enforces a TEE policy towards valuable data(e.g., purchased video content), which may be referred to as a datapath,that originates from or is initiated by (or that otherwise includes orinvolves) a co-located Rich Execution Environment (REE) and/or a REEOperating System (REE OS, or Rich OS). The TEE operates as a server oras a “slave” unit towards the REE. Accordingly, a Content ProtectionPolicy (CPP) infrastructure or architecture may enable a REE-initiateddatapath or a REE-controlled datapath, or a REE-managed datapath tooperate and to be utilized in conjunction with a cryptographic operation(e.g., decryption or encryption), while adhering to (or complying with)one or more relevant TEE-stored and TEE-enforced policies. The CPPinfrastructure may be implemented, for example, in an entirelyhardware-based processor or processing unit, or in a processing unit orprocessing system that comprises hardware components and/or firmwarecomponents and/or software components, or by using other suitableimplementation structures or architecture.

The CPP infrastructure may enable to invoke or to initiate one or morecryptographic operations (e.g., a Digital Rights Management (DRM)cryptographic operation, such as a DRM decryption operation of aDRM-protected frame of a DRM-protected video) directly from the REE. TheTEE then selects and enforces the requested or the relevant secure CPP,which causes the system to accept (or authorize, or allow) or converselyto reject (or unauthorize, or block, or prevent, or deny) thecryptographic operations(s) requested or initiated by the REE, in aseamless manner that still enables the REE or the Rich OS to initiateand control the datapath.

The CPP infrastructure may obviate the need to utilize a real-timeconnection between the TEE and another component (e.g., a hypervisor ora Virtual Machine Monitor (VMM)) having a different Exception Level(EL); rather, the CPP infrastructure enables the REE to handle memoryallocation and memory mapping, while the TEE only verifies theoperations parameters, enforces a relevant policy (e.g., by checkingthat the current operation parameters are matching constraints or valuesor are within a range specified in the policy), and approves or rejectsthe requested cryptographic operation. Particularly, someimplementations may reduce the need for buffering and/or for copying ofdata between the REE and the TEE; and/or may reduce the size of memorythat is required to be pre-allocated as Unsecured Protected Memory or asSecure Memory that is accessible only by the TEE (or, in someimplementations, by specific bus masters in a special “protected” modeof operation, which limits the visibility of non-secure software modulesinto internal register files) and not by the REE.

In accordance with the CPP infrastructure, a physical memory unit or aportion thereof, may be dynamically allocated and/or mapped and/orre-mapped, and may be utilized by an application stored in a regular(unsecured, unprotected) memory, and/or by an application stored inprotected yet non-secured memory. For example, a DRM application mayreside in unsecured storage, and may operate to playback or display adigital content-item (e.g., a DRM-protected video clip, an audio clip,an electronic book, or the like) if the suitable permission(s) areverified. Encrypted content is received and stored onto a regular(unsecured) memory region, and may be decrypted into protected (yetnon-secured) memory.

In a conventional processing system, the DRM content decryption process,including the DRM policy enforcement, is performed by the TEE or by theTEE OS. In contrast, the CPP infrastructure enables the REE, or the RichOS, to perform or to enable such DRM content decryption, if or after theTEE (or the TEE OS) provides the authorization to do so by enforcing therelevant CPP (e.g., the relevant DRM policy) selected from a database ofpolicies stored within the TEE. In accordance with the CPPinfrastructure, all or substantially all the memory handling (e.g.,memory allocation, memory de-allocation or re-allocation, memory mappingor re-mapping) may be performed dynamically by the REE and not by theTEE, and need not be pre-allocated at boot time of the electronicdevice. The content decryption itself may also be initiated and/orperformed by the REE (e.g., via a secure sub-system hardware component),and not by the TEE, as the CPP infrastructure provides a way for the TEEOS to enforce a DRM policy (or, to ensure that a DRM policy is compliedwith, as a condition for DRM playback or decryption or decoding), at thecommencement of the decryption process or immediately prior to it (or asa condition to performing it, or as a prerequisite to performing it).

The DRM policy that is enforced by the TEE, or the relevant CPP that isenforced by the TEE, may utilize or may check one or more parameters orconditions; for example, hardware key(s) usage, DRM key renewal, orother policy rules or parameters or conditions. It is noted that whileportions of the discussion herein may relate to DRM content or toDRM-related policy or operations, some implementations may similarly beutilized in conjunction with non-DRM related policies or content, or inconjunction with various types of cryptographic operations, decoding,encoding, decrypting, encrypting, authenticating, digitally signing,verifying signatures, or otherwise handling content or data ormeta-data, or otherwise executing code or processing data by a REEapplication in a manner that is conditioned upon firstly obtainingauthorization to do so from the TEE which ensures compliance with aTEE-stored and TEE-enforced policy.

The CPP infrastructure utilizes a CPP keys mechanism as a system-levelsolution, enabling to perform cryptographic operations (e.g., DRMdecryption) from and/or within the REE or the REE OS or a REEapplication (e.g., with the assistance of a secure sub-system hardwarecomponent). A particular sub-system (e.g., implemented by utilizing anArm® CryptoCell® or a similar component), which may be implemented usinghardware components and/or software components, may provide themechanism to notify the TEE or the TEE OS, via an interrupt or othermechanism, of a REE-based or a REE-initiated request to perform REE-sidecryptographic operations (e.g., DRM decryption), together with providingthe parameters or descriptors that are relevant to that request; therebyenabling the TEE or the TEE OS to select, apply and/or enforce therelevant CPP (e.g., the relevant DRM policy) in a secure manner, and toauthorize or un-authorize the requested cryptographic operation (e.g.,the requested DRM decryption).

Reference is made to FIG. 1, which is a schematic illustration of anelectronic device 100, in accordance with some implementations. Device100 may be, or may comprise, or may part of, for example, a computer, adesktop computer, a laptop computer, a tablet, a smartphone, a cellularphone, a portable communications device, a mobile communications device,a smart-watch, an electronic fitness device, a television or a smarttelevision, an audio playback device, a video playback device, anelectronic book (e-book) reader or reading device, a gaming device, agaming console, a portable gaming device, a vehicular device, avehicular dashboard component, a vehicular entertainment system, a homeentertainment system, a portable entertainment system, a digital contentconsumption device, a digital content playback device, a home appliance,an electronic device within an autonomous vehicle or a self-drivingvehicle, or the like.

Device 100 may comprise, for example: an input unit 191 able to receiveinput from an end-user (e.g., touchscreen, touchpad, keyboard, keypad,mouse, joystick, audio microphone); an output unit 192 able to displayor otherwise provide output to the end-user (e.g., screen, monitor,display unit, touchscreen, audio speakers); a memory unit 193 able tostore data and/or code, particularly for short-term storage (e.g.,Random Access Memory (RAM), volatile memory); a storage unit 194 able tostore data and/or code, particularly for long-term storage (e.g., HardDisk Drive (HDD), Solid State Drive (SSD), Flash memory, non-volatilememory); a power source 195 able to provide electrical power to one ormore components of device 100 (e.g., a battery, a power cell, arechargeable battery, a replaceable battery, a connection to mainselectricity); one or more wired and/or wireless communicationtransceivers 196 (e.g., a Wi-Fi or IEEE 802.11 transceiver, a Bluetoothtransceiver, a cellular transceiver, a cellular 2G or 3G or 4G or 4G-LTEor 5G or other transceiver); and a processing unit 199 (e.g., aprocessor, a Central Processing Unit (CPU), a Graphics Processing Unit(GPU), a Digital Signal Processor (DSP), a processing core, a logicunit, or the like) able to execute code or machine-readableinstructions, read data, process data, write data, and selectivelycommand or trigger or cause other components of device 100 to performoperations.

Device 100 may comprise a Trusted Execution Environment (TEE) 110, or asecure execution environment or a secured execution environment, whichmay be an isolated and secured area of sub-system (e.g., in or of aprocessing unit or a logic unit), and which is able to performprocessing operations in a manner that is protected from user-installedapplications. The TEE 110 may comprise, or may be implemented by, a TEEOperating System (OS), which manages and provides the secure performanceof operations within the TEE 110.

Device 100 may further comprise a Rich Execution Environment (REE) 130.The REE 130 may utilize or may be implemented by a conventional OS,which may be referred to as a “Rich OS” (e.g., Microsoft® Windows®, orAndroid®, or Apple® iOS®, which may manage user-installed applications,which may not necessarily require secured or highly-secured processingof data. Such Rich OS may comprise drivers, or may be associated withdrivers, to enable one or more user-installed applications to access oneor more hardware components of device 100 (e.g., to generate output to ascreen; to receive input from a keyboard or a mouse or a touch-screen;to read from storage; or the like).

REE 130 may comprise an audio/video playback application, or a contentplayback application, such as a DRM application 132 able to playbackDRM-protected content item(s) (e.g., audio clip, video clip). Forexample, if a suitable DRM license or DRM key is found and is validatedby a Cryptographic Driver 133 (e.g., residing in the REE 130), then thecontent-item may be decrypted or decoded, and may be played or displayedor otherwise outputted via the DRM application 132.

The REE 130 may further comprise a Memory Sub-System 150, which includesa System Memory Management Unit (SMMU) 151 and a Memory Unit 152. TheSMMU 151 may read data from memory unit 152, may write data to memoryunit 152, may perform mapping and re-mapping of memory unit 152 or ofportions thereof, may perform memory allocation or de-allocation orre-allocation operations, may perform caching operations, may managecaching, may manage or perform memory virtualization, may manage orenforce memory access privileges, and/or may perform other memorymanagement operations with regard to memory unit 152.

Memory unit 152 may comprise two regions: a Secured Memory region 161,and an Unsecured Memory region 162. For example, the Secured Memoryregion 161 is a particular region in memory that is carved-out at boottime of device 100 and is pre-allocated or pre-designated at boot timeto be utilized and managed and accessed exclusively by the TEE 110, andcannot be accessed by the REE 130 and/or by user-installed applications.In contrast, the Unsecured Memory region 162 is accessible by the REE130, and is dynamically managed by the REE 130. The Unsecured Memoryregion 162 is further divided into two sub-regions: an UnsecuredProtected Memory sub-region 162A (e.g., that only the TEE 110 can writeinto; and that the REE 130 can read from), and an Unsecured UnprotectedMemory sub-region 162B (e.g., that the REE 130 can both write into andread from).

In a conventional system that needs to decrypt a DRM-protected video,each frame of the video is DRM-protected, and each DRM-protected frameof the video is firstly copied from a REE buffer to a TEE buffer, inorder for the TEE to perform the DRM decryption operation. In contrast,in accordance with implementations of the CPP architecture, such copyingor buffering may not be required (optionally, some implementations maysupport utilization of fragmented memory as input/output, such that REEbuffers are very likely to be fragmented or may be in the form of alinked list); and a DRM-protected video frame need not be copied into aTEE-managed buffer or into a TEE-managed memory region; but rather, suchDRM-protected video frame may remain only in a memory region that ismanaged exclusively by the REE and not by the TEE.

Device 100 further comprises a hardware-based Secure Sub-System 140, ora hardware-only secure sub-system, which enables the operations of theCPP infrastructure and which enables the particular flow of operationsin which the TEE 110 and/or the REE 130 participate. For example, theSecure Sub-System 140 may comprise Key Slots/Parameters Slots 141, ableto store a DRM key index 142 and other parameters/descriptors 143 (e.g.,related to a REE-requested cryptographic operation) which are laterutilized for DRM decryption (if and when such DRM decryption isauthorized by TEE 110). The DRM decryption itself is performed by acryptographic engine 144, such as an Advanced Encryption Standard (AES)chip or engine, an SM4 chip or engine, or the like, which is part of thehardware-based Secure Sub-System 140. The cryptographic engine 144 maycomprise hardware registers, and/or may utilize a Direct Memory Access(DMA) unit 149 in order to read data from and/or write data into memorysub-system 150; particularly, SMMU 151 operates as a filtering unit thatdetermines which component or module may access which portions of memory152; and the DMA unit 149 is the intermediate unit between thecryptographic engine 144 and the SMMU 151.

In some implementations, the following demonstrative flow of operationsmay be performed; other and/or additional operations may be used.

Initially (arrow 1), a DRM handshake is performed between the REE 130and the TEE 110. For example, the DRM application 132 in the REE 130 mayinitiate and send a handshake message towards a DRM trusted application111 in the TEE 110. The handshake message may include, for example, DRMparameters and/or other data or meta-data to initialize theestablishment of a particular DRM session between the DRM application132 and the TEE 110. Arrow 1 is shown as a double-sided arrow: althoughthe initiation of the handshake is from the REE 130 towards the TEE 110,the handshake process may further comprise response(s) and/orexchange(s) of information from the REE 130 towards the TEE 110 and fromthe TEE 110 towards the REE 130. It is noted that for demonstrativepurposes, component 112 is labeled (and is referred to) as a DRM trustedapplication, although some implementations may utilize other suitabletypes of trusted applications within the TEE that need not necessarilybe DRM-based, for example, High-bandwidth Digital Content Protection(HDCP), or the like.

The DRM trusted application 112 may then construct or configure orupdate (arrow 2) a policies database 113 in TEE 110, which may store oneor more relevant policies or rules to be enforced or applied by TEE 110per DRM key.

A cryptographic driver 133 of REE 130 then injects or writes or inserts(arrow 3), into the Key Slots/Parameters Slots 141 of the SecureSub-System 140, a DRM key index 142 (e.g., having a single value out of8 or 16 or other range of values) as well as parameters/descriptors 143of a cryptographic operation that is requested to be performed by DRMapplication 132 (e.g., cryptographic decryption of a DRM-protected videoframe). The descriptors/parameters 143 may comprise, for example: adescriptor or an indication of the type of cryptographic operation thatis requested (e.g., decryption or encryption); a bit length of thecryptographic key to be used (e.g., 128 bits or 256 bits); an indicationof the cryptographic algorithm that is requested to be applied; anindication of a requested mode of operation of a block cipher (e.g., aCipher Block Chaining (CBC) mode, a Counter (CTR) mode, or the like); anInitialization Vector (IV); a value of a Counter (CTR); address-in oraddress-out or other address descriptors; indicators of DRM usage dataor meta-data; and/or other parameters or descriptors. In someimplementations, the insertion of data-items from the cryptographicdriver 133 of the REE 130 into the Key Slots/Parameters Slots 141 of thesecure sub-system 140, may optionally be performed via a bufferingmechanism or a queuing mechanism; and may be a no-changes-allowed typeor writing or insertion, such that data-items that were introduced bythe cryptographic driver 133 of the REE 130 into the KeySlots/Parameters Slots 141 of the secure sub-system 140 cannot bemodified or erased or removed or over-written by the cryptographicdriver 133 and/or by other components of the REE 130.

The injection or the writing of such parameters/descriptors 143 and theDRM key index 142 into the Key Slots/Parameters Slots 141, or at leastone of such writing or injection operations (e.g., utilization of thelast key slot available), causes or triggers an interrupt (arrow 4) fromthe secure sub-system 140 towards the TEE 110, and particularly towardsa Policies Manager 114 in the TEE 110 which receives such interrupt andis thus triggered to intervene and operate. Arrow 4 is pointing towardssouth-west, to indicate that the direction of the interrupt is from thesecure sub-system 140 towards the policies manager 114 in the TEE 110.

The policies manager 114 in the TEE 110 reads or obtains or otherwiseactively fetches (arrow 5), from the Key Slots/Parameters Slots 141 ofthe secure sub-system 140, a copy of the DRM key index 142 and/or a copyof parameters/descriptors 143 of cryptographic operation that isrequested by the REE 130. The obtaining operations may be performed, forexample, by utilizing a hardware interface (e.g., by reading from theregisters of the cryptographic engine 144). Arrow 5 is shown pointingsouth-west to indicate the direction in which the information flows,from the secure sub-system 140 to the policies manager 114; although thepolicies manager 114 may actively access the secure sub-system 140 toactively fetch or read such information therefrom.

The policies manager 114 checks or verifies (arrow 6) whether therequested DRM operation is permissible or is valid, based on the DRM keyindex and the particular policy associated with that DRM key, and(optionally, in some implementations) based also on the other parametersor descriptors as obtained from the Key Slots/Parameters Slots 141.

If the DRM operation is verified as permissible or valid, then thepolicies manager 114 of the TEE 110 proceeds to load or transfer orwrite a suitable DRM key (arrow 7) into shadow key registers 147 in theSecured Sub-System 140. Additionally, the policies manager 114 of theTEE 110 writes or injects or transfers (arrow 8) a required Stream ID145 into the Secured Sub-System 140, via a hardware interface, based oninformation that the policies manager 114 obtains from the policiesdatabase 113 within the TEE 110. The Stream ID 145 is copied ortransferred to the SMMU 151 of the memory sub-system 150 (such as,optionally, via the DMA unit 149).

The policies manager 114 of the TEE 110 further sends or generates ornotifies an operation verdict (arrow 9), such as either an authorizationdecision or a rejection decision, to the secure sub-system 140, by wayof register signaling or other suitable notification method. Forexample, if the policies manager 114 determines that the requested DRMoperation is permissible, based on the relevant policy obtained from thepolicies database 113 and in view of the DRM index key 142 and theparameters/descriptors 143, then the policies manager 114 of the TEE 110sends an authorization message or an approval message to the securesub-system 140. Conversely, if the policies manager 114 determines thatthe requested DRM operation is not permissible, then the policiesmanager sends a rejection message to the secure sub-system 140, and/orcauses a reset to (or a denial of, or a failure of, or an aborting of)the requested DRM operation (e.g., by triggering a reset of thecryptographic engine 144, or a reset of its cryptographic parameters),and/or by setting or triggering an error interrupt towards the REE 130(which waits to receive either a completion message or an errorinterrupt). Accordingly, the cryptographic engine 144 in the securesub-system 140, is either (i) triggered to proceed and perform the DRMoperation by an acceptance message from the policies manager 114 of theTEE 110, or (ii) is triggered to reset or abort or otherwise not performthe DRM operation by a rejection signal or an interrupt from thepolicies manager 114 of the TEE 110.

In the case of acceptance or authorization of the requested DRMoperation, the Secure Sub-System 140 loads the DRM key that was providedby the policies manager 114, from the shadow key registers 147 into therelevant cryptographic engine 144 (arrow 10), which also obtains theparameters/descriptors of the cryptographic operation from the KeySlots/Parameters Slots 141 (arrow 11); and the requested DRM operationor cryptographic operation is performed by the relevant cryptographicengine 144 by using the relevant parameters (the DRM key, the IV, andother data or meta-data).

Upon completion of the cryptographic operation, an interrupt or acompletion message is issued (arrow 12) by the Secure Sub-System 140 tothe cryptographic driver 133 in the REE 130. In some implementations, afinal interrupt may be issued back to the REE 130 in any case, or at theend of the cryptographic operation; or if a pre-defined time-period haselapsed without receiving an operation verdict (acceptance or rejection)from the policies manager 114 of the TEE 110. For example, a WatchdogModule 148 in the Secure Sub-System 140 may monitor the elapsed timesince the request was made to the TEE 110, and may issue a rejectioninterrupt back to the cryptographic driver 133 of the REE 130 if nooperation verdict message was received from the policies manager 114 ofthe TEE 110 within a pre-defined timeout period (e.g., within 1 second,or within 2 seconds, or within other pre-defined period); such as, toenforce a pre-defined policy that a requested cryptographic operation,that did not receive a positive authorization response from the policiesmanager 114 of the TEE 110 within a pre-defined time period, is handledas a rejected or a denied cryptographic operation.

Some implementations may comprise and/or may utilize the followingfeatures or some of them: (a) allocation and utilization of KeySlots/Parameters Slots 141, to enable injection of information by theREE 130 with regard to a requested cryptographic operation that the TEEis requested to approve or deny; (b) an interrupt mechanism,particularly a REE-to-TEE interrupt (e.g., directly, or through thesecure sub-system 140), and/or a secure sub-system 140 to TEE 130interrupt, which triggers the policy manager 114 of the TEE 110 tooperate once the REE 130 initiates a cryptographic operation or acryptographic process that is associated with a particular DRM key indexor with a particular key slot; (c) a hardware interface (e.g.,implementing secure-only access) that allows the policy manager 114 ofthe TEE 110 to obtain the parameters or descriptors (and the DRM keyindex) of the requested cryptographic operations, and to verify themagainst a TEE-based policies database; (d) a hardware interface (e.g.,implementing secure-only access) that allows the policies manager 114 ofthe TEE 110 to configure, set and/or modify the parameters of therequested cryptographic operation (e.g., the key data, the Stream_IDparameter); (e) a hardware interface (e.g., implementing secure-onlyaccess) that allows the policy manager 114 of the TEE 110 to selectivelyeither accept or reject the cryptographic operation or cryptographicprocess that was requested by the REE 130, and securely issue a decisionverdict or an operation verdict to the secure sub-system; (f) anoptional utilization of Watchdog Module 148 to reject or to block or todeny a requested cryptographic operation if the policy manager 114 ofthe TEE 110 did not authorize it within a pre-defined, monitored, timeperiod; (g) an interface or protocol (e.g., similar to Arm® AdvancedeXtensible Interface (API)) that enables utilization of protocol sidechannel signals (e.g., Stream_ID) that may be controlled by a masterentity (e.g., an AXI Master or AXIM) based on the TEE configuration.

In accordance with the CPP architecture, the REE 130 (and not the TEE110) is the entity that controls and manages the data-path and pushesthe content item (e.g., discrete, separate, DRM-protected frames of aDRM-protected video, on a frame-by-frame basis) into the securesub-system 140, and it is the REE 130 (and not the TEE 110) thatinitiates the cryptographic process and initiates the invocation of theTEE 110 for the purpose of authorizing or rejecting the requestedcryptographic operation; without the need to copy or buffer or injectthe actual payload (e.g., each DRM-protected frame) from the REE 130into the TEE 110, or from the REE 130 into the Secured Memory region161. In some implementations, optionally, each such DRM-protected framemay be copied from the Unsecured Unprotected memory 162B to theUnsecured Protected memory 162A, but need not be copied into (orbuffered or stored at) the Secured Memory 161. The DRM-protected frameis thus maintained, at all times, only in Unsecured Memory 162, and onlyin memory regions that the REE 130 (and not the TEE 110) is capable ofdynamically managing, and only in memory regions that do not requirecarving-out at boot time of the device, and only in memory regions thatthe REE is capable of dynamically allocating or re-allocating orre-mapping post-boot time and during regular (non-boot) operation of theelectronic device.

The CPP architecture may be particularly beneficial when integrated intoelectronic devices or electronic systems that require extensivedecryption of DRM content, for example, a smartphone, a tablet, adesktop computer, a laptop computer, a gaming console or gaming device,an audio/video playback device, a Digital Television (DTV) unit, atelevision, a smart television, an Internet-connected television, aset-top box, a cable box, a cable television box or decoder, a satellitetelevision box or decoder, a multimedia streamer, a video streamer, anaudio streamer, an audio/video streamer, a vehicular audio/video system,a vehicular audio/video playback unit, a vehicular multimedia system, orthe like; as well as other suitable devices or systems which may requiresharing of some (but not all) memory regions between a REE and aco-located TEE, particularly for cryptographic operations, decodingoperations, decrypting operations, or DRM-related operations.

In accordance with some implementations, for example, an electronicdevice comprises: a Trusted Execution Environment (TEE) to securelyexecute code; a co-located Rich Execution Environment (REE) to executecode; and a co-located hardware-based secure sub-system which comprisesa cryptographic engine able to perform cryptographic operations. The REEcomprises a cryptographic driver configured to initiate a request forTEE authorization to perform a particular cryptographic operation by thecryptographic engine on a data-item that is stored in a memory regionthat is accessible by the REE. The TEE comprises a policies manager todetermine whether said request from the REE is approved or rejected, andif approved, to inject one or more data-items into said securesub-system to enable performance of said particular cryptographicoperation by said cryptographic engine in the secure sub-system.

The policies manager in the TEE is to determine whether to approve orreject said request, and is to further determine how to configure saidone or more data-items, based on a query to a per-key policies databasewithin the TEE. The TEE further comprises a hardware interface forsecure retrieval of policy data from said policies database by saidpolicies manager. The policies manager in the TEE is to inject said oneor more data-items into a shadow register in said secure sub-system; andthe cryptographic engine in the secure sub-system utilizes data-itemsfrom said shadow register, to perform said particular cryptographicoperation that was requested by said cryptographic driver of the REE.

The request to perform said particular cryptographic operation maycomprise at least the following descriptors: (a) an indication of aDigital Rights Management (DRM) key index, (b) an indication of whichcryptographic engine is requested to be invoked, (c) an indication of arequested mode of operation selected from the group consisting ofencryption and decryption, (d) an indication of an Initialization Vector(IV) or a Counter, (e) an indication of a requested mode of operation ofa block cipher which is selected from the group consisting of: a CipherBlock Chaining (CBC) mode, and a Counter (CTR) mode; wherein saiddescriptors were injected by the cryptographic driver of the REE intokey slots in said secure sub-system.

The policies manager in the TEE is to utilize a hardware interface,between the TEE and the secure sub-system, to inject said one or moredata-items into said secure sub-system. The policies manager of the TEEis to inject at least a value of a DRM Stream_ID parameter and anacceptance or rejection response to said request, over said hardwareinterface, into the secure sub-system. The secure sub-system furthercomprises a watchdog unit, to initiate a request rejection interrupttowards said cryptographic driver of the REE if a request approval isnot received from the policies manager of the TEE within a pre-definedtime period.

The request from the cryptographic driver of the REE towards the TEE isimplemented as an interrupt from the secure sub-system to the policiesmanager of the TEE. The interrupt is triggered by insertion of one ormore data-items by the cryptographic driver of the REE into one or moreslots of the secure sub-system. The interrupt is initiated subsequent toan initial Digital Rights Management (DRM) handshake which initializes aparticular DRM session between (i) a DRM application in the REE, and(ii) a DRM trusted application within the TEE.

The cryptographic operation may be a cryptographic operation selectedfrom the group consisting of: (i) decryption of a media content itemthat is cryptographically associated with Digital Rights Management(DRM) protection, (ii) pre-transmission encryption of a media contentitem in accordance with High-bandwidth Digital Content Protection(HDCP).

The cryptographic operation may be decryption of a single DRM-protectedframe of a DRM-protected video that a DRM application in the REErequests to playback. The cryptographic driver of the REE issues aseparate request for decryption of each frame of said DRM-protectedvideo, one frame at a time. The policies manager of the TEE determines,separately, for each request to decrypt each of said frames, whether toaccept or reject said request, based on (i) a DRM key index and (ii) oneor more descriptors of each requested decryption operation and (iii) aper-key policy obtained from a policies database within the TEE over asecure channel. The DRM-protected frame is stored by the REE in anunsecured unprotected memory region of a memory unit of the electronicdevice, that is accessible by the REE and by the TEE, and that isdynamically managed only by the REE.

The cryptographic operation may be encryption of a single frame of avideo intended for DRM-protection. The cryptographic driver of the REEissues a separate request for encryption of each frame of said video,one frame at a time. The policies manager of the TEE determines,separately, for each request to encrypt each of said frames, whether toaccept or reject said request, based on (i) a DRM key index and (ii) oneor more descriptors of each requested encryption operation and (iii) aper-key policy obtained from a policies database within the TEE over asecure channel. The DRM-protected frame is stored by the REE in anunsecured unprotected memory region of a memory unit of the electronicdevice, that is accessible by the REE and by the TEE, and that isdynamically managed only by the REE.

In accordance with some implementations, a processing system comprises:a Trusted Execution Environment (TEE) to securely execute code, whereinthe TEE is co-located near a Rich Execution Environment (REE). The TEEcomprises a trusted Digital Rights Management (DRM) application,configured to establish a particular DRM session between the TEE and aDRM playback application of the REE. The TEE comprises a policiesmanager unit, (i) to receive from a secure sub-system of the processingsystem an interrupt indicating a request to authorize a particularDRM-related cryptographic operation by said secure sub-system on acontent-item that is stored in unsecured unprotected memory that isdynamically managed by the REE, (ii) to verify said request based ondata obtained by the policies manager unit from a co-located policiesdatabase within the TEE, (iii) to authorize said request by writing viaa hardware interface one or more parameters into one or more shadowregisters of the secure sub-system which are accessible by acryptographic engine, said one or more parameters enabling saidcryptographic engine of the secure sub-system to perform said particularDRM-related cryptographic operation.

The one or more parameters, that are written by the policies managerunit of the TEE via the hardware interface into the secure sub-system,may comprise at least a value of a DRM Stream_ID parameter. The policiesmanager unit of the TEE retrieves data from said co-located policiesdatabase of the TEE via a secure-only access over a hardware interfacethat connects the policies manager unit and the policies database.

The processing system may comprise a memory unit having: (i) a securedmemory region that is carved-out at boot time and is pre-allocated forexclusive access of the TEE and not of the REE, and (ii) an unsecuredmemory region that is dynamically managed by the REE. The policiesmanager of the TEE authorizes or denies said particular DRM-relatedcryptographic operation with regard to a DRM-protected content-item thatis stored only in the unsecured memory region, and that is not copiedinto and is not stored I the secured memory region.

In accordance with some implementations, a method is implementable by aprocessing system that comprises a Trusted Execution Environment (TEE)co-located with a Rich Execution Environment (REE). The method maycomprise: performing a Digital Rights Management (DRM) handshake, toestablish a particular DRM session between (i) a DRM playbackapplication in the REE and (ii) a trusted DRM application in the TEE;storing, in a secure sub-system of said processing system that isaccessible by both the REE and the TEE, one or more descriptors of arequested DRM operation that is requested by said DRM playbackapplication of the REE; wherein said storing of the one or moredescriptors triggers a sending of an interrupt to a policies managerunit in the TEE, wherein the interrupt indicates a request by the REE toobtain TEE authorization to perform said requested DRM operation;evaluating said request by said policies manager unit within the TEE,based on (i) one or more DRM policies that are securely stored in aco-located policies database within the TEE, and (ii) a DRM key indexand other descriptors of said requested DRM operation, that are insertedby the REE into slots in the secure sub-system; if said request isevaluated as authorized, then: (I) inserting by the policies manager ofthe TEE, via a hardware interface, into one or more slots in the securesub-system, one or more parameters that enable a cryptographic engine inthe secure sub-system to perform said requested DRM operation; and (II)sending a request authorization message from the policies manager unitof the TEE to the cryptographic engine in the secure sub-system.

If said request is evaluated as authorized, then: performing saidrequested DRM operation in the cryptographic engine, by utilizing: (i) avalue of a Stream_ID parameter that is provided securely over a hardwareinterface by the policies manager unit of the TEE, and (ii) a DRM keyobtained from the cryptographic driver of the REE, and (iii) one or moreparameters of the requested DRM operation as obtained from thecryptographic driver of the REE. The requested DRM operation may be arequest to decrypt a DRM-protected frame of a DRM-protected video; andsaid evaluating of the request by the policies manager unit within theTEE, excludes and does not utilize copying or buffering saidDRM-protected frame into a secured memory region that is accessible onlyby the TEE.

In some implementations, calculations, operations and/or determinationsmay be performed locally within a single device, or may be performed byor across multiple devices, or may be performed partially locally andpartially remotely (e.g., at a remote server) by optionally utilizing acommunication channel to exchange raw data and/or processed data and/orprocessing results.

Although portions of the discussion herein relate, for demonstrativepurposes, to wired links and/or wired communications, someimplementations are not limited in this regard, but rather, may utilizewired communication and/or wireless communication; may include one ormore wired and/or wireless links; may utilize one or more components ofwired communication and/or wireless communication; and/or may utilizeone or more methods or protocols or standards of wireless communication.

Some implementations may utilize a special-purpose machine or aspecific-purpose device that is not a generic computer, or may use anon-generic computer or a non-general computer or machine. Such systemor device may utilize or may comprise one or more components or units ormodules that are not part of a “generic computer” and that are not partof a “general purpose computer”, for example, cellular transceiver,cellular transmitter, cellular receiver, GPS unit, location-determiningunit, accelerometer(s), gyroscope(s), device-orientation detectors orsensors, device-positioning detectors or sensors, or the like.

Some implementations may utilize an automated method or automatedprocess, or a machine-implemented method or process, or as asemi-automated or partially-automated method or process, or as a set ofsteps or operations which may be executed or performed by a computer ormachine or system or other device.

Some implementations may utilize code or program code ormachine-readable instructions or machine-readable code, which may bestored on a non-transitory storage medium or non-transitory storagearticle (e.g., a CD-ROM, a DVD-ROM, a physical memory unit, a physicalstorage unit), such that the program or code or instructions, whenexecuted by a processor or a machine or a computer, cause such processoror machine or computer to perform a method or process as describedherein. Such code or instructions may be or may comprise, for example,one or more of: software, a software module, an application, a program,a subroutine, instructions, an instruction set, computing code, words,values, symbols, strings, variables, source code, compiled code,interpreted code, executable code, static code, dynamic code; including(but not limited to) code or instructions in high-level programminglanguage, low-level programming language, object-oriented programminglanguage, visual programming language, compiled programming language,interpreted programming language, C, C++, C#, Java, JavaScript, SQL,Ruby on Rails, Go, Cobol, Fortran, ActionScript, AJAX, XML, JSON, Lisp,Eiffel, Verilog, Hardware Description Language (HDL), Register-TransferLevel (RTL), BASIC, Visual BASIC, Matlab, Pascal, HTML, HTMLS, CSS,Perl, Python, PHP, machine language, machine code, assembly language, orthe like.

Discussions herein utilizing terms such as, for example, “processing”,“computing”, “calculating”, “determining”, “establishing”, “analyzing”,“checking”, “detecting”, “measuring”, or the like, may refer tooperation(s) and/or process(es) of a processor, a computer, a computingplatform, a computing system, or other electronic device or computingdevice, that may automatically and/or autonomously manipulate and/ortransform data represented as physical (e.g., electronic) quantitieswithin registers and/or accumulators and/or memory units and/or storageunits into other data or that may perform other suitable operations.

The terms “plurality” and “a plurality”, as used herein, include, forexample, “multiple” or “two or more”. For example, “a plurality ofitems” includes two or more items.

References to “one embodiment”, “an embodiment”, “demonstrativeembodiment”, “various embodiments”, “some embodiments”, and/or termssuch as “implementation” or “implementations”, may indicate that theembodiment(s) or implementation(s) so described may optionally include aparticular feature, structure, functionality, or characteristic, but notevery embodiment or implementation necessarily includes the particularfeature, structure, functionality or characteristic. Furthermore,repeated use of the phrase “in one embodiment” or “in oneimplementation”, does not necessarily refer to the same embodiment,although it may. Similarly, repeated use of the phrase “in someembodiments” or “in some implementations”, does not necessarily refer tothe same set or group of embodiments or implementations, although itmay.

As used herein, and unless otherwise specified, the utilization ofordinal adjectives such as “first”, “second”, “third”, “fourth”, and soforth, to describe an item or an object, merely indicates that differentinstances of such like items or objects are being referred to; and doesnot intend to imply as if the items or objects so described must be in aparticular given sequence, either temporally, spatially, in ranking, orin any other ordering manner.

Some implementations may be used in, or in conjunction with, variousdevices and systems, for example, a Personal Computer (PC), a desktopcomputer, a mobile computer, a laptop computer, a notebook computer, atablet computer, a server computer, a handheld computer, a handhelddevice, a Personal Digital Assistant (PDA) device, a handheld PDAdevice, a tablet, an on-board device, an off-board device, a hybriddevice, a vehicular device, a non-vehicular device, a mobile or portabledevice, a set-top box, a cables television box or receiver or decoder, asatellite-based television box or receiver or decoder, a consumerdevice, a non-mobile or non-portable device, an appliance, a wirelesscommunication station, a wireless communication device, a wirelessAccess Point (AP), a wired or wireless router or gateway or switch orhub, a wired or wireless modem, a video device, an audio device, anaudio-video (A/V) device, a wired or wireless network, a wireless areanetwork, a Wireless Video Area Network (WVAN), a Local Area Network(LAN), a Wireless LAN (WLAN), a Personal Area Network (PAN), a WirelessPAN (WPAN), or the like.

Some implementations may be used in conjunction with one way and/ortwo-way radio communication systems, cellular radio-telephonecommunication systems, a mobile phone, a cellular telephone, a wirelesstelephone, a Personal Communication Systems (PCS) device, a PDA orhandheld device which incorporates wireless communication capabilities,a mobile or portable Global Positioning System (GPS) device, a devicewhich incorporates a GPS receiver or transceiver or chip, a device whichincorporates an RFID element or chip, a Multiple Input Multiple Output(MIMO) transceiver or device, a Single Input Multiple Output (SIMO)transceiver or device, a Multiple Input Single Output (MISO) transceiveror device, a device having one or more internal antennas and/or externalantennas, Digital Video Broadcast (DVB) devices or systems,multi-standard radio devices or systems, a wired or wireless handhelddevice, e.g., a Smartphone, a Wireless Application Protocol (WAP)device, or the like.

Some implementations may comprise, or may be implemented by using, an“app” or application which may be downloaded or obtained from an “appstore” or “applications store”, for free or for a fee, or which may bepre-installed on a computing device or electronic device, or which maybe otherwise transported to and/or installed on such computing device orelectronic device.

Functions, operations, components and/or features described herein withreference to one or more implementations, may be combined with, or maybe utilized in combination with, one or more other functions,operations, components and/or features described herein with referenceto one or more other implementations. Some implementations may compriseany possible or suitable combinations, re-arrangements, assembly,re-assembly, or other utilization of some or all of the modules orfunctions or components or units that are described herein, even if theyare discussed in different locations or different chapters of the abovediscussion, or even if they are shown across different drawings ormultiple drawings.

While certain features of some demonstrative implementations have beenillustrated and described herein, various modifications, substitutions,changes, and equivalents may occur to those skilled in the art.Accordingly, the claims are intended to cover all such modifications,substitutions, changes, and equivalents.

What is claimed is:
 1. An electronic device comprising: a TrustedExecution Environment (TEE) to securely execute code; a Rich ExecutionEnvironment (REE) to execute code; a hardware-based secure sub-systemwhich comprises a cryptographic engine able to perform cryptographicoperations; wherein the REE comprises a cryptographic driver configuredto initiate a request for TEE authorization to perform a particularcryptographic operation by the cryptographic engine on a data-item thatis stored in a memory region that is accessible by the REE; wherein theTEE comprises a policies manager to determine whether said request fromthe REE is approved or rejected, and if approved, to inject one or moredata-items into said secure sub-system to enable performance of saidparticular cryptographic operation by said cryptographic engine in thesecure sub-system.
 2. The electronic device of claim 1, wherein thepolicies manager in the TEE is to determine whether to approve or rejectsaid request, and is to further determine how to configure said one ormore data-items, based on a query to a per-key policies database withinthe TEE.
 3. The electronic device of claim 2, wherein the TEE furthercomprises a hardware interface for secure retrieval of policy data fromsaid policies database by said policies manager.
 4. The electronicdevice of claim 1, wherein the policies manager in the TEE is to injectsaid one or more data-items into a shadow register in said securesub-system; wherein the cryptographic engine in the secure sub-systemutilizes data-items from said shadow register, to perform saidparticular cryptographic operation that was requested by saidcryptographic driver of the REE.
 5. The electronic device of claim 1,wherein said request to perform said particular cryptographic operationcomprises at least the following descriptors: (a) an indication of aDigital Rights Management (DRM) key index, (b) an indication of whichcryptographic engine is requested to be invoked, (c) an indication of arequested mode of operation selected from the group consisting ofencryption and decryption, (d) an indication of an Initialization Vector(IV) or a Counter, (e) an indication of a requested mode of operation ofa block cipher which is selected from the group consisting of: a CipherBlock Chaining (CBC) mode, and a Counter (CTR) mode; wherein saiddescriptors were injected by the cryptographic driver of the REE intokey slots in said secure sub-system.
 6. The electronic device of claim1, wherein the policies manager in the TEE is to utilize a hardwareinterface, between the TEE and the secure sub-system, to inject said oneor more data-items into said secure sub-system.
 7. The electronic deviceof claim 6, wherein the policies manager of the TEE is to inject atleast a value of a DRM Stream_ID parameter and an acceptance orrejection response to said request, over said hardware interface, intothe secure sub-system.
 8. The electronic device of claim 1, wherein thesecure sub-system further comprises a watchdog unit, to initiate arequest rejection interrupt towards said cryptographic driver of the REEif a request approval is not received from the policies manager of theTEE within a pre-defined time period.
 9. The electronic device of claim1, wherein said request from the cryptographic driver of the REE towardsthe TEE is implemented as an interrupt from the secure sub-system to thepolicies manager of the TEE, wherein said interrupt triggered byinsertion of one or more data-items by the cryptographic driver of theREE into one or more slots of the secure sub-system.
 10. The electronicdevice of claim 1, wherein said interrupt is initiated subsequent to aninitial Digital Rights Management (DRM) handshake which initializes aparticular DRM session between (i) a DRM application in the REE, and(ii) a DRM trusted application within the TEE.
 11. The electronic deviceof claim 1, wherein said cryptographic operation is a cryptographicoperation selected from the group consisting of: (i) decryption of amedia content item that is cryptographically associated with DigitalRights Management (DRM) protection, (ii) pre-transmission encryption ofa media content item in accordance with High-bandwidth Digital ContentProtection (HDCP).
 12. The electronic device of claim 1, wherein saidcryptographic operation is decryption of a single DRM-protected frame ofa DRM-protected video that a DRM application in the REE requests toplayback; wherein the cryptographic driver of the REE issues a separaterequest for decryption of each frame of said DRM-protected video, oneframe at a time; wherein the policies manager of the TEE determines,separately, for each request to decrypt each of said frames, whether toaccept or reject said request, based on (i) a DRM key index and (ii) oneor more descriptors of each requested decryption operation and (iii) aper-key policy obtained from a policies database within the TEE over asecure channel; wherein said DRM-protected frame is stored by the REE inan unsecured unprotected memory region of a memory unit of theelectronic device, that is accessible by the REE and by the TEE, andthat is dynamically managed only by the REE.
 13. The electronic deviceof claim 1, wherein said cryptographic operation is encryption of asingle frame of a video intended for DRM-protection; wherein thecryptographic driver of the REE issues a separate request for encryptionof each frame of said video, one frame at a time; wherein the policiesmanager of the TEE determines, separately, for each request to encrypteach of said frames, whether to accept or reject said request, based on(i) a DRM key index and (ii) one or more descriptors of each requestedencryption operation and (iii) a per-key policy obtained from a policiesdatabase within the TEE over a secure channel; wherein saidDRM-protected frame is stored by the REE in an unsecured unprotectedmemory region of a memory unit of the electronic device, that isaccessible by the REE and by the TEE, and that is dynamically managedonly by the REE.
 14. A processing system comprising: a Trusted ExecutionEnvironment (TEE) to securely execute code, wherein the TEE isco-located near a Rich Execution Environment (REE); wherein the TEEcomprises a trusted Digital Rights Management (DRM) application,configured to establish a particular DRM session between the TEE and aDRM playback application of the REE; wherein the TEE comprises apolicies manager unit, (i) to receive from a secure sub-system of theprocessing system an interrupt indicating a request to authorize aparticular DRM-related cryptographic operation by said secure sub-systemon a content-item that is stored in unsecured unprotected memory that isdynamically managed by the REE, (ii) to verify said request based ondata obtained by the policies manager unit from a co-located policiesdatabase within the TEE, (iii) to authorize said request by writing viaa hardware interface one or more parameters into one or more shadowregisters of the secure sub-system which are accessible by acryptographic engine, said one or more parameters enabling saidcryptographic engine of the secure sub-system to perform said particularDRM-related cryptographic operation.
 15. The processing system of claim14, wherein said one or more parameters, that are written by thepolicies manager unit of the TEE via the hardware interface into thesecure sub-system, comprise at least a value of a DRM Stream_IDparameter.
 16. The processing system of claim 14, wherein the policiesmanager unit of the TEE retrieves data from said co-located policiesdatabase of the TEE via a secure-only access over a hardware interfacethat connects the policies manager unit and the policies database. 17.The processing system of claim 14, wherein the processing systemcomprises a memory unit having: (i) a secured memory region that iscarved-out at boot time and is pre-allocated for exclusive access of theTEE and not of the REE, and (ii) an unsecured memory region that isdynamically managed by the REE; wherein the policies manager of the TEEauthorizes or denies said particular DRM-related cryptographic operationwith regard to a DRM-protected content-item that is stored only in theunsecured memory region, and that is not copied into and is not stored Ithe secured memory region.
 18. A method implementable by a processingsystem that comprises a Trusted Execution Environment (TEE) co-locatedwith a Rich Execution Environment (REE), the method comprising:performing a Digital Rights Management (DRM) handshake, to establish aparticular DRM session between (i) a DRM playback application in the REEand (ii) a trusted DRM application in the TEE; storing, in a securesub-system of said processing system that is accessible by both the REEand the TEE, one or more descriptors of a requested DRM operation thatis requested by said DRM playback application of the REE; wherein saidstoring of the one or more descriptors triggers a sending of aninterrupt to a policies manager unit in the TEE, wherein the interruptindicates a request by the REE to obtain TEE authorization to performsaid requested DRM operation; evaluating said request by said policiesmanager unit within the TEE, based on (i) one or more DRM policies thatare securely stored in a co-located policies database within the TEE,and (ii) a DRM key index and other descriptors of said requested DRMoperation, that are inserted by the REE into slots in the securesub-system; if said request is evaluated as authorized, then: (I)inserting by the policies manager of the TEE, via a hardware interface,into one or more slots in the secure sub-system, one or more parametersthat enable a cryptographic engine in the secure sub-system to performsaid requested DRM operation; and (II) sending a request authorizationmessage from the policies manager unit of the TEE to the cryptographicengine in the secure sub-system.
 19. The method of claim 18, furthercomprising: if said request is evaluated as authorized, then: performingsaid requested DRM operation in the cryptographic engine, by utilizing:(i) a value of a Stream_ID parameter that is provided securely over ahardware interface by the policies manager unit of the TEE, and (ii) aDRM key obtained from the cryptographic driver of the REE, and (iii) oneor more parameters of the requested DRM operation as obtained from thecryptographic driver of the REE.
 20. The method of claim 18, wherein therequested DRM operation is a request to decrypt a DRM-protected frame ofa DRM-protected video; wherein said evaluating of the request by thepolicies manager unit within the TEE, excludes and does not utilizecopying or buffering said DRM-protected frame into a secured memoryregion that is accessible only by the TEE.